So, I’m waiting for a package that was shipped via TNT. Fine, I get a tracking number and go to TNT’s web site and do a “Track package” search, and get the tracking details. Fine…
Well — almost….. Argh.
I look at the URL, and it’s http://www.tnt.com/webtracker/tracking.do.
No sign of my tracking number, as obviously they’re submitting the form using METHOD=POST. I.e.: instead of encoding the request in the query string (../tracking.do?id=123456&..), they are submitting the query encoded as POST data.
This means you can’t bookmark the page, and you must either keep it open and refresh it (answering: “yes, I want to re-submit the data”), or each time go to the search form and enter the tracking number again.
If you bookmark the page, then opening the bookmark will give you this page:
Tracker Sorry we are unable to fulfil your request Please re-submit your enquiry. Intellectual and other property rights to the information contained in this site are held by TNT Holding B.V. with all rights reserved © 2008
Well, thank you very much.
Luckily, it turns out that if you dig around the HTML for the search page and find the form variables (or use a HTTP sniffing tool like Fiddler2), their backend supports submitting the form using a query string (METHOD=GET) also:
Now .. why is this hidden away behind METHOD=POST?
Sure, it could be out of “security” – so that your tracking number would not be kept in the browser’s history for others to have a peek at, and possibly to avoid someone intercepting your package.
Well, fine! But then – why not offer a link from the results page, for those of us who hopefully know what we are doing?
- Most modern browsers support “privacy mode”, if you’re doing sensitive stuff. (And pretty much all browsers have a “clear history” function hidden away somewhere)
- If knowing the tracking number is all it takes to hijack and intercept my package, then what kind of security is that..?